Tuesday 21 March 2023
Using AI/ML to draft policy
Tuesday 29 November 2022
Information risks a-gurgling
There are clearly substantial information risks associated with the redaction of sensitive elements from disclosed reports and other formats, risks that the controls don't necessarily fully mitigate.
Yes, controls are fallible and constrained, leaving residual risks. This is hardly Earth-shattering news to any competent professional or enlightened infidel, and yet others are frequently shocked.
A new report* from a research team at the University of Illinois specifically concerns failures in the redaction processes and tools applied to PDF documents. The physical size of redacted text denoted (covered or replaced) with a variable-length black rectangle may give clues as to the original content, while historically a disappointing number of redaction attempts have failed to prevent the original information being recovered simply by removing the cover images or selecting then pasting the underlying text. Doh!
Wednesday 11 May 2022
Data masking and redaction policy
Last evening I completed and published another SecAware infosec policy template addressing ISO/IEC 27002:2022 clause 8.11 "Data masking":
"Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific, and business requirements, taking applicable legislation into consideration."
The techniques for masking or redacting highly sensitive information from electronic and physical documents may appear quite straightforward. However, experience tells us the controls are error-prone and fragile: they generally fail-insecure, meaning that sensitive information is liable to be disclosed inappropriately. That. in turn, often leads to embarrassing and costly incidents with the possibility of prosecution and penalties for the organisation at fault, along with reputational damage and brand devaluation.
The policy therefore takes a risk-based approach, outlining a range of masking and redaction controls but recommending advice from competent specialists, particularly if the risks are significant.
The $20 policy template is available here.
Being a brand new policy, it hasn't yet had the benefit of the regular reviews and updates that our more mature policies enjoy ... so, if you spot issues or improvement opportunities, please get in touch.
Friday 13 March 2020
March 13 - COVID-19 information risk analysis
- Large volumes of poor or dubious quality information spreading rapidly like Chinese whispers;
- Accidental misinformation and bad advice, spread inadvertently by naive if genuinely concerned people who misinterpret things, modify or elaborate on them, and pass them on**;
- So much information, in fact, that it is crowding out other stuff - not literally (I'm reasonably sure the Internet and assorted media have more capacity although they too must be suffering from people falling sick, believing they have the virus, scared of interacting with work colleagues or just "pulling a sickie"), but rather diverting attention from other matters;
- Smaller volumes of deliberately misleading information, promising miracle cures and priority access to limited resources, or opinion pieces and fake news promoting some agenda other than simply spreading factual information, exploiting the chaos to further hidden agendas.
Wednesday 26 February 2020
A good day down the salt mine
Friday 15 November 2019
Risky business
PS An article about the alleged shortage of pentesters casually mentions:
"The ideal pen tester also exhibits a healthy dose of deviancy. Some people are so bound by the rules of a system that they can’t think beyond it. They can’t fathom the failure modes of a system. Future penetration testers should have a natural inclination toward pushing the boundaries – especially when they are told, in no uncertain terms, not to do so."
Friday 1 February 2019
Security awareness module on mistakes
- Typos;
- Using inaccurate data, often without realizing it;
- Having to make decisions based on incomplete and/or out-of-date information;
- Mistakes when designing, developing, using and administering IT systems, including those that create or expose vulnerabilities to further incidents (such as hacks and malware);
- Misunderstandings, untrustworthiness, unreliability etc. harming the organization’s reputation and its business relationships.
Learning objectives
- Introduces the topic, describing the context and relevance of 'mistakes' to information risk and security;
- Expands on the associated information risks and typical information security controls to cut down on mistakes involving information;
- Offers straightforward information and pragmatic advice, motivating people to think - and most of all act – so as to reduce the number and severity of mistakes involving information;
- Fosters a corporate culture of error-intolerance through greater awareness, accountability and a focus on information quality and integrity.
HINT: Don't be surprised if the same methods lead to the same results. "The successful man will profit from his mistakes ... and try again in a different way" [Dale Carnegie].
Thursday 31 January 2019
Why so many IT mistakes?
Monday 28 January 2019
Ceative technical writing
- Are there surprises? Is new material produced?
- How do the results the writer arrived at tie back to the purpose of the paper?
- Is there a logical flow from the body of the paper to the conclusion?
- What are the implications for further study and practice?
- Are there limitations in the paper the reader might want to investigate? Are they pointed at sufficiently?
- Does the writing feel “finished” at the end of the conclusion?
- Is the reader engaged until the end?
- How does the writer prompt the reader to continue the creative process?
- Screen-shots showing web pages or application screens such as security configuration options;
- Graphs - pie-charts, bar-charts, line-charts, spider or radar diagrams etc. depending on the nature of the data;
- Mind-maps separating the topic into key areas, sometimes pointing out key aspects, conceptual links and common factors;
- Process flow charts;
- Informational and motivational messages with eye-catching photographic images;
- Conceptual diagrams, often mistakenly called 'models' [the models are what the diagrams attempt to portray: the diagrams are simply representational];
- Other diagrams and images, sometimes annotated and often presented carefully to emphasize certain aspects.
Sunday 27 January 2019
Streaming awareness content
- For workers in general, the materials emphasize making efforts to avoid or at least reduce the number of mistakes involving information such as spotting and self-correcting typos and other simple errors.
- For managers, there are strategic, governance and information risk management aspects to this topic, with policies and metrics etc.
- For professionals and specialists, error-trapping, error-correction and similar controls are of particular interest.
Monday 21 January 2019
Computer errors
- Flaws are fundamental mistakes in the specification and design of systems such as 'the Internet' (a massive, distributed information system with seemingly no end of security and other flaws!). The specifiers and architects are in the frame, plus the people who hired them, directed them and accepted their work. Systems that are not sufficiently resilient for their intended purposes are an example of this: the issue is not that the computers fail to perform, but that they were designed to fail due to mistakes in the requirements specification;
- Bugs are coding mistakes e.g. the Pentium FDIV bug affecting firmware deep within the chip. Fingers point towards the software developers but again various others are implicated;
- Config and management errors are mistakes in the configuration and management of a system e.g. disabling controls such as antivirus, backups and firewalls, or neglecting to patch systems to fix known issues;
- Typos are mistakes in the data entered by users including those who program and administer the systems;
- Further errors are associated with the use of computers, computer data and outputs e.g. misinterpreting reports, inappropriately disclosing, releasing or allowing access to sensitive data, misusing computers that are unsuited for the particular purposes, and failing to control IT changes;
- 'Deliberate errors' include fraud e.g. submitting duplicate or false invoices, expenses claims, timesheets etc. using accidents, confusion, ineptitude as an excuse.
- Physical phenomena such as noise on communications links and power supplies frequently cause errors, the vast majority of which are automatically controlled against (e.g. detected and corrected using Cyclic Redundancy Checks) ... but some slip through due to limitations in the controls. These could also be categorized as physical incidents and inherent limitations of information theory, while limited controls are, again, largely the result of human errors;
- Just like people, computers are subject to rounding errors, and the mathematical principles that underpin statistics apply equally to computers, calculators and people. Fully half of all computers make more than the median number of errors!;
- Artificial intelligence systems can be misled by available information. They are almost as vulnerable to learning inappropriate rules and drawing false conclusions as we humans are. It could be argued that these are not even mistakes, however, since there are complex but mechanistic relationships between their inputs and outputs;
- Computers are almost as vulnerable as us to errors in ill-defined areas such as language and subjectivity in general - but again it could be argued that these aren't even errors. Personally, I think people are wrong to use SMS/TXT shortcuts and homonyms in email, and by implication email systems are wrong in neither expanding nor correcting them for me. I no U may nt accpt tht.
Sunday 20 January 2019
Human error stats
For example, the Cyber SecurityBreaches Survey 2018 tells us:
"It is important to note that the survey specifically covers breaches or attacks, so figures reported here also include cyber security attacks that did not necessarily get past an organisation’s defences (but attempted to do so)."